This is about privatization. About five years ago, IT privatization was all the rage in the federal government. For reasons that have always escaped me, pro-privatization groups argued – successfully (and this is the part I find unbelievable) – that contracting out an agency’s IT work is a no-brainer and would lead only to good.
I just could never figure this out. Information technology, IT, data, what is more important to keep close to you and away from others than private information and the machinery that runs your agency?
As time passed more and more security breaches occurred, and some were even reported in the general media.
There was the break in at Tri-West, resulting in the theft of computers with data on medical care and benefits for one-third of our military. The security of this office was so poor that the thieves were able to make multiple trips in and out without raising any alarms.
And despite all this the problems with IT and data privatization just kept on coming. There was the giving contractors root access to the IRS computer system, and meanwhile the contractor’s employees – in violation of the contract – installed chat and other software that opened a big honkin’ highway that hackers could have used to do whatever they wanted.
And it just kept happening.
In 2006, GAO issued a damning report on just unbelievable losses as a result of contracting out information technology. For example, the FBI privatization contract with Trilogy was found in 2006 to have these “qualities” (link):
FBI’s review and approval process for Trilogy contractor invoices, which included a review role for the General Services Administration (GSA) as contracting agency, did not provide an adequate basis to verify that goods and services billed were actually received and that the amounts billed were appropriate, leaving FBI highly vulnerable to payments of unallowable costs. This vulnerability is demonstrated by FBI’s payment of about $10.1 million in questionable contractor costs we identified using data mining, document analysis, and other forensic auditing techniques. These costs included first-class travel and other excessive airfare costs, incorrect charges for overtime hours, potentially overcharged labor rates, and charges for which the contractors could not provide adequate supporting documentation to substantiate the costs purportedly incurred.
FBI also failed to establish controls to maintain accountability over equipment purchased for the Trilogy project. These control lapses resulted in more than 1,200 missing pieces of equipment valued at approximately $7.6 million that GAO identified as part of its review. In addition, in its own inventory counts, FBI identified 37 pieces of Trilogy equipment valued at approximately $167,000 that had been lost or stolen.
. . .
Given the poor control environment and the fact that GAO reviewed only selected FBI payments to Trilogy contractors, other questionable contractor costs may have been paid that have not been identified. If these control weaknesses go uncorrected, future contracts, including those related to Sentinel — FBI’s new electronic information management system initiative — will be highly exposed to improper payments. In addition, the lack of accountability for Trilogy equipment calls into question FBI’s ability to adequately safeguard its existing assets as well as those it may acquire in the future.
This is the FBI, not the local daycare, for goodness sakes. And they just got taken to the cleaners by these scam artists.
Now GAO has done a follow up study to assess how things are going with the FBI and its IT system contract. Things are better – though, recall, this would be better over a deep nadir of quality.
Here is GAO’s description of the background conditions:
In May 2001, FBI initiated a major IT upgrade project known as Trilogy to modernize its IT infrastructure and systems and provide needed applications, including a modern investigative case management system, to help FBI agents, analysts, and others do their jobs. In March 2004, after scheduling delays, cost overruns, and a failure to deliver the envisioned case management system component which became known as the Virtual Case File (VCF), you asked us to audit the costs of the project, which then totaled approximately $537 million. Our audit of Trilogy costs identified significant internal control deficiencies over the processing, review, approval, and payment of invoices as well as the accountability and control over assets purchased under the Trilogy project.
In order to improve this situation, the
FBI is now acquiring and deploying a new automated case management system, known as Sentinel, to replace the case management system that was to be delivered as part of the Trilogy project. Sentinel is being developed in four phases at an estimated cost of $425 million and is scheduled to be completed in May 2010. Phase 1 of the project was completed in June 2007
Here are some of the results found to exist now.
To test the accuracy and completeness of this database, we attempted to match the records in it with FBI’s official PMA records and vendor invoices. At the time of our test, most of the records we reviewed from the database contained discrepancies. The bar codes, serial numbers, cost, and other key information for the accountable property items recorded in the database did not agree to PMA records and vendor invoices. Furthermore, these discrepancies had not been detected by the [Sentinel Program Management Office (PMO)] PMO, indicating that it did not have adequate procedures for independently monitoring the accuracy and completeness of the contractor records upon which it was relying to create FBI’s official property record.
So, in other words, contractors checking on the work of contractors. And not exactly doing great work:
Our testing did not identify any missing assets. However, we found 20 property records for which there were valuation discrepancies between the contractor database, PMA, and the supporting vendor invoices. We referred these records to the PMO to investigate and resolve.
Here are some issues GAO mentions but which I find of great concern for quality and cost effectiveness.
1. Lockheed Martin is the contractor. There have been so many problems with their work as a contractor, it is amazing they ever get new contracts.
2. The contract is cost-plus and time-and- materials. Now if ever there were a big invitation to come on in and party hearty on someone else’s dime it is a cost-plus contract. There are no incentives to keep costs down, no real ones certainly in this contract. GAO suggests there are some limits to prevent problems, but the record for this sort of contract is just not good.
3. The contractor has subcontracted the work to other contractors who are paid on a cost-plus and time-and-materials basis. Every time you further contract work, that means a longer and longer chain for ensuring oversight and greater costs. It also means a loss of control. The records is that oversight does not happen, let alone adequate oversight.
Here’s what GAO says.
Lockheed Martin was awarded the Sentinel development contract in March 2006 through a governmentwide acquisition contract. The contract is a cost-plus award fee contract under which task orders will be issued for each phase of the project to be completed. Under a cost-plus award fee contract, costs incurred by the contractor that are allowable, reasonable, and allocable to the contract are reimbursed and fees may be awarded to the contractor based on acceptable performance. Under this type of contract, the government assumes most of the cost risk. The Federal Acquisition Regulation (FAR) requires agencies to mitigate this risk through adequate government oversight during the performance of the contract. In addition, the contractor must have adequate accounting systems to record and bill costs.
The Sentinel project and PMO are supported by five other contracted firms. These companies are providing administrative and engineering services to support the requirements definition, acquisition, and development support for the Sentinel system. Two of these firms were awarded cost-plus award fee contracts while the other three were awarded time and material (T&M) contracts. Under a T&M contract, the government agrees to pay fixed per-hour labor rates and to reimburse other costs directly related to the contract, such as materials, equipment, or travel, based on cost. Again, the government assumes the cost risk because the requirement for the contractor is to make a good faith effort to meet the government’s needs within a ceiling price. Accordingly, the government must monitor contractor performance to ensure efficient methods and effective cost controls are being used.
Here is what GAO found – sort of an absence of evidence, which is NOT evidence of absence of problems. And lots of ifs.
We determined that these policies and procedures, if properly implemented, should reduce the risk of improper payments to Sentinel contractors. In testing the implementation of these controls, we found the PMO had effectively implemented its invoice-processing controls. We did not identify any questionable contractor payments.
. . .
Based on our review of Sentinel invoice processing policy and procedures, examples of underlying documentation, and interviews with PMO staff, we found the PMO has established requirements for the Sentinel project that meet internal control standards for invoice review and approval. These requirements are responsive to the recommendations for correcting the invoice-processing deficiencies we identified in our prior Trilogy work and, if implemented properly, will help to ensure accurate and proper payments for goods and services purchased for the project.
The GAO found problems in the Asset-Tracking Database Sentinel created. Note that it failed to comply with the contract’s requirements, not a good sign. Instead of creating its own asset-tracking database, Lockheed Martin’s asset-tracking database was used.
And the result? . . . Problems, discrepancies, missing information.
The PMO did not establish its own asset-tracking database, as required by its policies and procedures, to track Sentinel equipment purchased by Lockheed Martin. Instead, the PMO decided to utilize, with some modification, the asset-tracking database developed and administered by Lockheed Martin. Using a contractor to create and maintain the asset-tracking database can be an effective control mechanism provided that appropriate managerial and oversight measures are taken to independently verify that all equipment has been accurately recorded in the database. The PMO uses this contractor database to create FBI’s official property record in PMA.
To test the accuracy and completeness of this database, we attempted to match the records in it with FBI’s official PMA records and vendor invoices. At the time of our test, most of the records we reviewed from the database contained discrepancies. The bar codes, serial numbers, cost, and other key information for the accountable property items recorded in the database did not agree to PMA records and vendor invoices. Furthermore, these discrepancies had not been detected by the PMO, indicating that it did not have adequate procedures for independently monitoring the accuracy and completeness of the contractor records upon which it was relying to create FBI’s official property record.
Other problems observed included a haphazard system of recoding bar codes from property items, problems with timeliness and accuracy of recording property, and other discrepancies.
To obtain assurance that the PMA records were complete, we matched the records in the corrected Lockheed Martin asset-tracking database to the records in PMA and found six accountable property items that were captured in the database but not recorded in PMA. When assets are not recorded in the property system, there is no record of their existence when physical inventories are performed. This limits the effectiveness of the physical inventory in detecting missing assets. We provided a list of these six assets to the PMO to research and resolve. PMO officials provided us an explanation for each of the six items on the list. One asset was improperly bar coded and one was not an accountable property item. The PMO was in the process of uploading the other four assets into PMA. These assets will be included in the 2008 inventory of Sentinel equipment which began in early 2008.
GAO made a number of recommendations which track these problems.
So there are improvements, but still persistent and predictable problems.
Now, tell me again why privatization is so good for the American people?
The report is Financial Management: FBI Has Designed and Implemented Stronger Internal Controls over Sentinel Contractor Invoice Review and Equipment Purchases, but Additional Actions Are Needed GAO-08-716R, July 15, 2008